What Fitbit Knows About You | Avast - Security Boulevard

SBN What Fitbit Knows About You | Avast

I think about my body a lot. I think about how it feels; how to make it feel better; what parts hurt; what I’m putting into it; how it’s sleeping; how much it weighs; how tall it is; whether or not it’s going to get Covid-19; how to treat it better… You get the idea.

And as someone who thinks about their body a lot, I’ve chosen to use a Fitbit — specifically a Fitbit Inspire HR — to help me understand it. But it wasn’t until I started this What Does the Internet Know About Me? series that I realized that while the Fitbit gives me a lot of information about myself, I don’t actually know what it knows about me.

DevOps Experience

What Fitbit tracks

Let’s start with the obvious: The purpose of a Fitbit is to help you track your health, in various ways. Users can customize what they want to track. I’m tracking:

  • Sleep: When and how much
  • Heart rate: Resting; 24/7 tracking
  • Steps: Per day and per hour
  • Weight: Including weight change
  • Food: Calories in; food eaten
  • Exercise: What I do; when I do it; how much I do it; what I do the most
  • Friends: I’m only connected to my older brother (who always beats me in step count) but users can connect their contacts, Facebook, email, or search by username
  • Device: Which one I have; which hand I wear it on

On the less obvious side of things, the Fitbit also knows:

  • When I wake up and go to bed: Through silent alarms and sleep tracking
  • Profile information: Birthday; sex; height; weight; location (if you share — I don’t)
  • Timezone: I didn’t share my location, but it knows my time zone is Pacific
  • IP address: If you visit the Fitbit website

What Fitbit could potentially figure out

And then there are the even less obvious things that Fitbit could know about you, if they really wanted to. The following is all conjecture — there’s no evidence that Fitbit has an interest in figuring this stuff out about users. But I wanted to highlight how this data can be used in ways we all, as users, might not think about. 

I decided to focus on whether or not Fitbit can tell when a user ingests different types of intoxicating substances. For example, a few months ago I had a boozy, full afternoon brunch with friends. Altogether, it was a very unhealthy day.

But when I got home, I noticed I’d burned over 3,000 calories that day, despite sitting on my butt and not getting even close to my 10,000 step goal. What was that about? 

So I did some research. According to threads on the Fitbit Community site, it’s common for resting heart rate to go up a few beats both while drinking and for a couple of days after. This can “confuse” your Fitbit, because a higher heart rate should mean more physical activity — but in this case just means you’re boozing.

I was surprised by some of the other edge ways that people are using Fitbit. According to articles from 2018, at least one person was using their Fitbit to monitor how harder drugs were affecting them. There were also stories about using the Fitbit to keep a handle on drug use at Burning Man, the yearly music and art festival.

It might seem farfetched, but it’s theoretically possible that Fitbit — or someone with their hands on a user’s Fitbit data — could use a combination of location data (are they at a bar? At a festival like Burning Man?), time of day, and heart rate to determine if someone was ingesting a substance. For this to work, aggregate data would need to be studied to identify the markers of one activity (such as using an illicit substance) from other activities. This might be far unlikely, but even a simple peak at someone’s data would allow you to draw broad conclusions about their health.

Potential insurance tie-ins

A perhaps more common theoretical situation is what could happen if the Affordable Care Act (ACA) is eliminated, allowing insurance companies to deny coverage if someone has a pre-existing condition. In that case, Fitbit data could be used to determine if someone has a heart condition, is overweight or obese, or even if they have issues with fertility.

Has this been done so far? Not to our knowledge. But we do know that Fitbit has programs that work with both insurance companies and employers. We also know that they share data with law enforcement if they’re legally required to. It’s impossible to know all of the edge cases of how this data could theoretically be used, but it’s important for us as users to understand the fact that there are edge cases — and that data this personal might reveal things about us that we’d prefer not to be revealed.

Lastly, I was curious about whether or not Fitbit knows my social media handles. In my profile, I checked out “Third Party Apps,” which showed that the only one I’d connected was MyFitnessPal. However, if you use the Facebook or Google sign-in option for Fitbit, it will have that information. 

What does Fitbit do with my data?

Once I knew what information Fitbit collected about me, it was time to figure out what they do with it. That required a deep dive into their Privacy Policy. It says that Fitbit “may share” aggregated or de-identified non-personal information “so that it cannot reasonably be used to identify an individual. For example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services.”

They also mention that they might share information when asked to share by the user, for example if you give a third-party app access to your Fitbit account or if you participate in an employee wellness program. In those cases, Fitbit will share information with those accounts or with your employer, until and unless you revoke that access. 

Fitbit’s Privacy Policy also says “We never sell your personal data.” However, later in the privacy policy they say that data is used for marketing. When asked to explain how these two can both be true, a Fitbit spokesperson told me, “Fitbit never sells personal data and we do not share customer personal information except in the limited circumstances described in our privacy policy. Our business model is not based on advertising. We do not target users with third-party ads. Like many others, we advertise our own products and services and work with advertising partners who help us with this. We disclose this in our Privacy Policy and explain to users what their privacy options are.” 

I also asked who the “third parties” that Fitbit may share information with are. In addition to the ones I’ve already mentioned, they said they might share data with “partners who help us provide our product and services – for example, we share limited data on a confidential basis to our third-party customer support and billing service providers.”

The Privacy Policy also states that they’ll share info with law enforcement “when required by law.” A Fitbit spokesperson elaborated: “Like many companies, Fitbit responds to valid legal process issued in compliance with applicable law. Respect for the privacy of our users drives our approach. Our policy is to notify our users of legal process seeking access to their information unless we are prohibited by law from doing so as explained in our privacy policy. When we receive a request, our team reviews it to make sure it satisfies legal requirements and Fitbit’s policies, and Fitbit will only disclose content and geo-location data pursuant to a valid search warrant.” Some companies publish what is known as a “warrant canary”, which signals to users that a service provider has been served with government subpoenas. Fitbit does not.

Now, if I were in Europe, things might be slightly different because Europe has more stringent privacy protection than the US, in the form of the General Data Protection Regulation (GDPR). European Fitbit users are asked for explicit consent when they “take actions leading to” Fitbit obtaining “health data or another special category of personal data subject to the GDPR.” The examples they give include “when you pair your device to your account, grant us access to your exercise or activity data from another service, or use the female health tracking feature.” They also let European users withdraw their consent to sharing data or using their data for direct marketing at any time.

What am I getting in exchange for my data? What are the tradeoffs?

Fitbit is “free” in that you pay once for the device and that’s it — you don’t have to pay for subsequent access to the app. But I am giving them something in return: My data. So is it worth it?

For me, the benefit of trading my data for access to the Fitbit is clear. My Fitbit is my third-most used device, after my laptop and phone. I look at it dozens of times per day, whether it’s to check the time, my steps, my calories burned, my heart rate when I’m working out, or the timing of a workout. It’s an essential part of my health plan, keeping me on track with my health and fitness goals and giving me insights into what’s going on inside my body. 

What can I say? I’m a nerd. I like data and numbers and Fitbit is excellent at providing me with those. 

What are the broader implications of Fitbit having access to my data?

The data collected by Fitbit is some of the most personal data that a company could collect. It’s about our bodies; these weird vessels that we move around in. Fitbit is great because it tells us things about our insides, but it also means that it should be held to a high standard when it comes to how they manage and use our data. 

From what I can see from the outside, they take that responsibility pretty seriously. They don’t sell personal data to advertisers. They’ve taken HIPAA into account, becoming as close to compliant as possible in order to make it easier for them to work with insurance companies and health care providers. And they give users the right to view, download, and delete their data at any time, which is right in line with privacy best practices. 

However, like all data sets, it’s possible that my Fitbit data could be used against me in ways I haven’t anticipated. For example, it could be used in a criminal case, which has happened a couple of times already. So far, though, the data that have been used in criminal cases — at least the ones we know about — were supplied by the users themselves. I reached out to Fitbit for more information on when they share information with law enforcement and have not heard back at time of publication.

The other big question mark at this time is what will happen now that Fitbit has been acquired by Google. The deal was originally announced in 2019; was tied up in regulations for a while; and finally went through in January 2021. And, some users are concerned about Google having access to even more information about them. 

Both Fitbit and Google have made strong statements about protecting user privacy moving forward, assuring us that nothing will change. Google says that “This deal has always been about devices, not data, and we’ve been clear since the beginning that we will protect Fitbit users’ privacy.” And in their announcement about the acquisition, Fitbit wrote:

“The trust of our users will continue to be paramount, and we will maintain strong data privacy and security protections, giving you control of your data and staying transparent about what we collect and why. Google will continue to protect Fitbit users’ privacy and has made a series of binding commitments with global regulators, confirming that Fitbit users’ health and wellness data won’t be used for Google ads and this data will be kept separate from other Google ad data. Google also affirmed it will continue to allow Fitbit users to choose to connect to third party services.”

After all of this, I still feel comfortable with the exchange of data for service that I have with Fitbit. Might that change in the future? Sure. Maybe. But so far they seem to be doing a pretty good job. 

*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/what-fitbit-knows-about-you-avast